My company is in the process of upgrading from Exchange 2007 to Exchange 2010 and our public DNS / AD namespace situation is somewhat unique. Our public namespace is company.com, but our internal AD namespace is company.int. Thus we appear to have the need for multiple certificates on our CAS server with external clients connecting to one web site using one certificate and internal clients connecting to another web site using another certificate. Due to the .int public domain suffix being reserved for international organizations formed via treaties we're unable to get an SSL certificate with SAN's that cover both our internal and external namespace.
Tried following the MSFT guide posted here
, but once completed the Exchange Management Console breaks, we start to see inconsistent behavior with the routing of IP traffic from the 2nd IP address (Windows appears to intermittently send traffic onto the wire with the wrong source address,) and we have problems getting the 2nd address (external site) to not register in DNS. The last problem results in some clients connecting to the wrong site and getting certificate errors.
As a temporary work around we have issued a SSL certificate from our own AD certificate authority with SAN's that cover all of the names. This is working for functionality testing, but once we start to move large numbers of users over with non-domain joined mobile devices and PC's this fix will be a no-go.
Is there an easier, less complex solution to handle this situation?